Notifications
Clear all
Topic starter
09/06/2026 11:59 pm
TL;DR: Most IGA programmes fail because teams sequence controls poorly, leaving half-implemented systems that auditors do not trust, according to Zluri’s phase-by-phase strategy on access reviews, lifecycle automation, granular entitlement control, identity security, and self-service requests. The practical lesson is that governance must start with visibility and ownership, then tighten access and automation in stages rather than trying to solve everything at once.
NHIMG editorial — based on content published by Zluri: How to Implement IGA in Your Organization: A Phase-by-Phase Strategy
By the numbers:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: How should organisations phase an IGA programme without creating more access drift?
A: Start with access reviews to establish ownership and visibility, then automate joiner-mover-leaver changes so access follows identity events.
Q: Why do access reviews alone fail to control identity risk?
A: Access reviews only show you the state of access at a moment in time.
Q: What breaks when lifecycle management is still manual?
A: Manual lifecycle management creates delays between a business event and the identity update that should follow it.
Practitioner guidance
- Start with a controlled access review pilot Begin with high-value applications where ownership is clear, then document who approved each revoke, retain, or exception decision.
- Automate joiner-mover-leaver triggers Connect HR or another authoritative identity source to provisioning workflows so hires, transfers, and exits update access without manual ticket handoffs.
- Map entitlements below the application layer Break critical systems into their actual permission structures, such as roles, groups, channels, repositories, or permission sets.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- The phase-by-phase implementation sequence with examples of what to do first and what to defer.
- Practical setup guidance for linking HR-driven lifecycle events to provisioning and deprovisioning workflows.
- Examples of how to structure entitlement ownership across applications such as CRM, ERP, and collaboration tools.
- The vendor's own framing of how IGA can support both compliance evidence and business productivity.
👉 Read Zluri's phase-by-phase IGA implementation strategy →
IGA implementation phases: where most programmes get stuck?
Explore further
10/06/2026 2:35 am
IGA fails when teams mistake periodic cleanup for governance. Access reviews are useful, but they are not a control model by themselves. They identify excess access after it exists, which means they cannot prevent drift between cycles or address systems that never enter the review scope. Practitioners should treat review outcomes as evidence for redesign, not as proof that access is inherently under control.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
- 92% of organisations expose NHIs to third parties, which means lifecycle and ownership decisions often extend beyond internal IAM boundaries.
A question worth separating out:
Q: How can security teams tell whether self-service access is working?
A: Self-service is working when requests route to the right approvers, approvals are consistent with policy, and provisioning happens without bypass paths or shadow requests. If users still submit tickets outside the workflow or managers routinely override decisions, the process is creating friction instead of governed speed.
👉 Read our full editorial: IGA implementation needs phased governance, not a tool-first rollout
